Every IT Asset Is A [Security] Liability

Every IT Asset Is A [Security] Liability

During my time at university in the 90s, the Internet and its use in academia was something of a novelty, if not a luxury. GUI “PCs” with 256mb hard drives, 3.5” floppies together with the formative applications were considered the latest thing. Few students were required to use computers as part of their studies. Indeed, the university library may well have considered itself groundbreaking to have digitised its book database. IT barely registered in most people’s day-to-day lives.

Roll forward a few years, upon entering the world of business, Internet connected IT infrastructure was still in its infancy. Desktop PCs ran Windows 95, staff had access to email to communicate with other staff, but not all had external email addresses. Psion handheld organisers were the domain of the tech-savvy executive. Operating systems, right through to Windows NT4.0, were still built by painstakingly loading a dozen floppy disks in sequence, praying that none would suffer terminal read failure.

The Internet was only just becoming a business enabler. Firewalls were a thing of the future and proxy servers were simply there to cache Internet traffic so as to reduce the contention on dial-up or ISDN Internet bandwidth. Security vulnerabilities came in the form of email attachments with the potential to corrupt a Microsoft Office document, and consequently desktop virus scanners were equally primitive. As long as you had a backup of the data, viruses threatened little downtime or corporate risk.

I would assert that little changed for another 10-15 years – the fundamental recipe for security success was to routinely scan for viruses, restrict unwanted inbound access at your network perimeter, deploy web facing servers in sandboxed DMZ as well as patching Windows desktop and server security vulnerabilities. Other operating systems were largely left untouched by hackers and IT departments alike, notably Novell NetWare servers whose owners actively bragged about their server uptime stats.

Today, in this hyper-connected era, we all have 4g Internet-enabled mobile phones and tablets, and want immediate access to both consumer and business IT platforms at the click of a button. Schools insist kids carry an iPad to class (other tablet brands are available!) and do all their homework online. Overnight ferry journeys, transatlantic flights, underground tube travel – none of these threaten to break our ever-present connection to the web.

Unfortunately, whilst the development of web accessible content has progressed at a giddy rate, it has come at a price. We have witnessed an explosion in the number, variety, approach and ferocity of security vulnerabilities over the last few years. If we consider the latest security vulnerabilities (Poodle, Heartbleed, Beast et al), within days or hours of the security exploit being acknowledged by the affected vendor(s), the first exploits have been published online and attacks launched in the wild. Indeed, Poodle and Beast triggered the need for an overnight rework of web server security, PC browsers, mobile apps, IT systems and corporate network security having rendered SSL extinct.

My late grandfather once said, ‘every acquisition is a liability’. We must recognise that every IT device connected to the Internet presents its own security liability. Whilst we as an IT service provider continue to invest heavily in security infrastructure, training, tools and people, security has become one of most significant overheads. In order to keep a lid on the threat, we have put together an extensive security programme including twice weekly security board meetings, quarterly penetration tests carried out by accredited third parties, weekly PC reboots, Nessus vulnerability scans, a new 10-point action plan to baseline each client’s security posture, timely reviews of all newly published threats and ongoing communication to clients as to the counter-measures required.

Given the effort involved and with the stakes so high, how long can the average business expect their internal IT department to weather the storm? If they do, it won’t be without huge investment, and if they don’t, and decide to outsource the risk, they’ll need to choose their managed service provider wisely.